Embodiments of the present invention are directed to systems, apparatuses and methods for processing payment transactions, and more specifically, to use of an out of band authentication process in the authorization of an electronic commerce transaction. The out of band authentication process provides both an Issuer and the owner of a valid payment device with added security in situations in which a transaction is conducted remotely and a Merchant is unable to request verifiable identification from a person making a purchase or payment. The inventive out of band authentication process may be used to detect and prevent potentially fraudulent transactions by identifying situations where a transaction is initiated using a personal computer but the operator of the computer is unable to provide the requested out of band authorization for the transaction. The out of band authorization may involve providing data using an out of band communication process, with the data having been registered with an Issuer and associated with a valid owner of the account being used to pay for the transaction.
Consumer payment devices such as debit cards or credit cards are used by millions of people worldwide to facilitate various types of commercial transactions. In a typical transaction involving the purchase of a product or service at a merchant location, the payment device is presented at a point of sale terminal (“POS terminal”) located at a merchant's place of business. The POS terminal may be a card reader or similar device that is capable of accessing data stored on the payment device, where this data may include identification or authentication data, for example. Some or all of the data read from the payment device is provided to the merchant's transaction or data processing system and then to the Acquirer, which is typically a bank or other institution that manages the merchant's account. The data provided to the Acquirer may then be provided to a payment processing network (e.g., a payment processor) which processes the data to determine if the transaction should be authorized by the network, and assists in the clearance and account settlement functions for the transaction. The authorization decision and clearance and settlement portions of the overall transaction may also involve communication and/or data transfer between the payment processing network and the bank or institution that issued the payment device to the consumer (the Issuer). Transactions in which a consumer payment device is presented to a merchant or accessed by a point of sale terminal are termed “card present” transactions since the payment device is in the same physical location as the merchant or terminal.
In addition to card present transactions, a consumer may also initiate a transaction in a situation in which the payment device is not in the same physical location as the merchant or terminal, and instead the relevant data is provided over a communications network to the merchant (termed a “card not present” transaction). For example, a card not present transaction involving the purchase of a product or service may be initiated by a consumer by providing payment data from a remote location to a merchant over a network such as the Internet. Transactions of this type are typically initiated using a computing device such as a personal computer or laptop computer. Thus, payment information for a transaction may be provided using a payment device and point of sale terminal or remotely located computing device, among other methods.
Given the large number of transactions and the amounts of money involved, the detection and prevention of fraud is an important consideration of any transaction processing system. In order to address this problem, payment processors and others involved in authorizing a transaction typically require that a user provide one or more forms of authentication or identification prior to authorizing a transaction. In a card present transaction, a merchant may simply ask for another form of identification from the customer, such as a picture ID (driver's license, passport, etc.) to provide additional assurance that the customer is authorized to use the consumer payment device being presented.
However, in the case of a card not present transaction (such as an eCommerce transaction conducted over the Internet) a merchant cannot as readily be certain that the person who is attempting to use a payment device is the person who is authorized to use that device. The remote nature of the transaction makes a picture ID or other form of identification both impractical and unreliable as a means of authenticating a consumer. Further, requesting an additional piece of supposedly confidential data from the person attempting to use the payment device may not be sufficient to verify that the person is authorized to use the payment device. This is because in some situations the additional data may be obtained fraudulently in the same manner as the payment device account data (e.g., by improperly obtaining access to a person's computer that stores the account data and other confidential data).
What is desired is a system, apparatus and method for authorizing an electronic payment transaction, such as an eCommerce transaction, and which overcomes the disadvantages or limitations of current approaches.